Virtual Machine

ABSTRACT

A computer-implemented method for executing a software application in a virtual machine executing on a data processing device includes receiving software code for a software application, determining application programming interfaces referenced by the software code, determining portions of an operating system accessed by the software code and creating an application container in the virtual machine. The method also includes application programming interfaces referenced by the software code inside the application container, portions of the operating system accessed by the software code inside the application container and executing the software application inside the application container on the virtual machine.

CROSS REFERENCE TO RELATED APPLICATIONS

This U.S. patent application is a continuation of, and claims priorityunder 35 U.S.C. § 120 from, U.S. patent application Ser. No. 16/703,452,filed on Dec. 4, 2019, which is a continuation of U.S. patentapplication Ser. No. 15/350,017, filed on Nov. 12, 2016, which is acontinuation of U.S. patent application Ser. No. 14/645,534, filed onMar. 12, 2015, which claims priority under 35 U.S.C. § 119(e) to U.S.Provisional Application 61/969,369, filed on Mar. 24, 2014. Thedisclosures of these prior applications are considered part of thedisclosure of this application and are hereby incorporated by referencein their entireties.

TECHNICAL FIELD

This disclosure relates to virtual machines executable on a dataprocessing device.

BACKGROUND

In a distributed system, a data processing device can executeinstructions configuring the data processing device to instantiate aninstance of a virtual machine. A virtual machine can emulate a computerand an operating system running on the computer. A virtual machine canbe used to execute a software application.

SUMMARY

One aspect of the disclosure provides a distributed system for a virtualmachine. The distributed system includes one or more data processingdevices executing instructions configuring the one or more dataprocessing devices to execute a virtual machine and an applicationserver. The virtual machine includes a software application and anagent. The agent is configured to receive a first health status of thesoftware application, determine a second health status of the softwareapplication, compare the first health status and the second healthstatus and restart the software application based on the comparison. Theapplication server is configured to remotely determine the first healthstatus of the software application and send the first health status ofthe software application to the virtual machine.

Implementations of the disclosure may include one or more of thefollowing optional features. In some implementations, the agent isconfigured to restart the software application in response to the firsthealth status being different from the second health status. The agentmay further be configured to receive the first health statusperiodically and to restart the software application in response to notreceiving the first health status within a threshold period of time.

In some examples, the application server is further configured toreceive a health check configuration and determine the first healthstatus of the software application based on the health checkconfiguration. The agent may be configured to receive a health checkconfiguration and determine the second health status based on the healthcheck configuration. The health check configuration may be provided by auser.

The virtual machine may further include a health check handlerinterfaced with the software application and the application server maydetermine the first health status via the health check handler. Thesecond health status may include a previous health status determined bythe application server. The agent may be configured to restart thevirtual machine based on the comparison. The agent may further beconfigured to restart the virtual machine in response to a subsequentmismatch between the first health status and the second health statusafter the application is restarted.

Another aspect of the disclosure provides a computer-implemented methodfor an operating a virtual machine. This aspect may include one or moreof the following optional features. The computer-implemented methodincludes executing a software application in a virtual machine executingon a data processing device and receiving, at the virtual machine, afirst health status of the software application from an applicationserver executing on a data processing device. The method furtherincludes determining, at the virtual machine, a second health status ofthe software application, comparing the first health status and thesecond health status and restarting the software application based onthe comparison.

In some implementations, restarting the virtual machine includesrestarting in response to the first health status being different fromthe second health status. Receiving a first health status of thesoftware application may include receiving the first health statusperiodically. Restarting the virtual machine may further includerestarting the software application in response to not receiving thefirst health status within a threshold period of time.

In some examples, the method further includes receiving a health checkconfiguration, wherein the first health status and the second healthstatus of the software are determined based on the health checkconfiguration. The health check configuration may be provided by a user.

The method may include determining the first health status of thesoftware application via a health check handler interfaced with thesoftware application. The second health status may include a previoushealth status determined by the application server. The method mayinclude restarting the virtual machine based on the comparison. Themethod may further include restarting the virtual machine in response toa subsequent mismatch between the first health status and the secondhealth status after the software application is restarted.

Yet another aspect of the disclosure provides a virtual machineexecutable on a data processing device. This aspect may include one ormore of the following optional features. The virtual machine includes asoftware application and an agent. The agent is configured to receive afirst health status of the software application executing in a virtualmachine, determine a second health status of the software application,compare the first health status and the second health status and restartthe software application based on the comparison.

In some examples, the agent is configured to restart the softwareapplication in response to the first health status being different fromthe second health status and to receive the first health statusperiodically. The agent may be configured to restart the softwareapplication when the agent does not receive the first health statusduring a predetermined time duration. The agent may further beconfigured to receive a health check configuration and determine thesecond health status based on the health check configuration.

The virtual machine may include a health check handler interfaced withthe software application, wherein the agent is configured to receive thefirst health status and determine the second health status via thehealth check handler. The second health status may be based on a firsthealth status determined at a previous time. The agent may be configuredto restart the virtual machine based on the comparison or to restart thevirtual machine in response to a subsequent mismatch between the firsthealth status and the second health status after the softwareapplication is restarted.

Yet another aspect of the disclosure provides a distributed system fordeploying a software application. The distributed system includes one ormore data processing devices and a non-transitory computer readablemedium. The data processing devices execute instructions configuring theone or more data processing devices to execute a virtual machine and anapplication server. The virtual machine includes an image of anoperating system and a software application. The non-transitory computerreadable medium is in communication with the one or more data processingdevices. The non-transitory computer readable medium stores an imagerepository that stores one or more images. The application server isconfigured to receive a selection of a policy from a plurality ofpolicies and associate the selected policy with the softwareapplication. In response to the selected policy being a first policy,when the software application is first deployed, the application serveris configured to archive the image mounted on the virtual machine in theimage repository and associate the mounted image with the softwareapplication. In response to receiving a command to redeploy the softwareapplication, if the policy associated with the software application isthe first policy, the application server is configured to retrieve theimage associated with the software application from the imagerepository. If the policy associated with the software application is asecond policy, the application server is configured to retrieve the mostrecent image in the image repository, mount the retrieved image on thevirtual machine and redeploy the software application.

The computer readable medium may further store a security repositorystoring a security patch. The application sever may be furtherconfigured to, in response to receiving the command to redeploy thesoftware application, install the security patch on the virtual machine,if the policy associated with the software application is the secondpolicy, and not install the security patch on the virtual machine, ifthe policy associated with the software application is the first policy.The application server may be further configured to, in response to theselected policy being a third policy, and when the software applicationis first deployed, archive the image mounted on the virtual machine inthe image repository and associate the mounted image with the softwareapplication. In response to receiving the command to redeploy thesoftware application, the application server is configured to retrievethe image associated with the software application from the imagerepository and install the security patch on the virtual machine.

In some examples, the non-transitory computer readable medium stores asoftware package repository and the virtual machine includes a softwarepackage. The application server may be further configured to, inresponse to the selected policy being a first policy, when the softwareapplication is first deployed, archive the software package installed onthe virtual machine in the non-transitory software package repositoryand associate the installed software package with the softwareapplication. In response to receiving a command to redeploy the softwareapplication, if the policy is associated with the software applicationis the first policy, the application server is configured to retrievethe software package associated with the software application from thenon-transitory software package repository. If the policy associatedwith the software application is a second policy, the application serveris configured to retrieve the most recent software package stored in thenon-transitory software package repository and install the retrievedsoftware package on the virtual machine.

Yet another aspect of the disclosure provides a method for deploying asoftware application. The method includes, at an application server,receiving a selection of a policy from a plurality of policies andassociating the selected policy with the software application. Inresponse to the selected policy being a first policy, when the softwareapplication is first deployed, the method includes archiving the imagemounted on the virtual machine in a non-transitory image repository andassociating the mounted image with the software application. In responseto receiving a command to redeploy the software application, if thepolicy associated with the software application is the first policy, themethod includes retrieving the image associated with the softwareapplication from the non-transitory image repository. If the policyassociated with the software application is a second policy, the methodincludes retrieving the most recent image stored in the non-transitoryimage repository, mounting the retrieved image on a virtual machine andredeploying the software application.

In some examples, the method includes, in response to retrieving thecommand to redeploy the software application, installing a securitypatch on the virtual machine, if the policy associated with the softwareapplication is the second policy, and not installing the security patchon the virtual machine, if the policy associated with the softwareapplication is the first policy. The method may further include, inresponse to the selected policy being a third policy, and when thesoftware application is first deployed, archiving the image mounted onthe virtual machine in the non-transitory image and associating themounted image with the software application. In response to receivingthe command to redeploy the software application, the method includesretrieving the image associated with the software application from thenon-transitory image repository and installing the security patch on thevirtual machine.

The method may further include, in response to the selected policy beinga first policy, and when the software application is first deployed,archiving the software package installed on the virtual machine in thenon-transitory software package repository and associating the installedsoftware package with the software application. In response to receivinga command to redeploy the software application, if the policy associatedwith the software application is the first policy, the method includesretrieving the software package associated with the software applicationfrom the non-transitory software package repository. If the policyassociated with the software application is a second policy, the methodincludes retrieving the most recent software package stored in thenon-transitory software package repository and installing the retrievedsoftware package on the virtual machine.

Yet another aspect of the disclosure provides a distributed system fordeploying a software application. The distributed system includes one ormore data processing devices, a non-transitory computer readable mediumand an application server. The one or more data processing devicesexecute instructions configuring the one or more data processing devicesto execute a virtual machine including an image of an operating systemmountable on the virtual machine, a software package executable on thevirtual machine and a software application executable on the virtualmachine. The non-transitory computer readable medium stores an imagerepository, a software package repository and a security repository. Theapplication server is in electronic communication with the computerreadable medium and is configured to receive a command to redeploy thesoftware application. In response to one of a first policy and a secondpolicy being associated with the software application, the applicationserver mounts a previously mounted image on the virtual machine andinstalls a previously installed software package on the virtual machine.In response to the second policy being associated with the softwareapplication, the application server installs a security patch from thesecurity repository. In response to the third policy being associatedwith the software application, the application server mounts a new imageon the virtual machine, installs a new software package on the virtualmachine, installs the security patch from the security repository andredeploys the software application.

Another aspect of the disclosure provides a computer-implemented methodfor deploying a software application on a virtual machine executing on adata processing device. The method includes receiving a command toredeploy the software application. In response to one of a first policyand a second policy being associated with the software application, themethod includes mounting a previously mounted image on the virtualmachine and installing a previously installed software package on thevirtual machine. In response to the second policy being associated withthe software application, the method includes installing a securitypatch from the non-transitory security repository. In response to thethird policy being associated with the software application, the methodincludes mounting a new image on the virtual machine, installing a newsoftware package on the virtual machine, and installing the securitypatch from the non-transitory security repository and redeploying thesoftware application.

Another aspect of the disclosure provides a virtual machine executableon a data processing device. The virtual machine includes an image of anoperating system executable on the virtual machine. The operating systemincludes a file system and a plurality of application programminginterface libraries. The application container includes a file systemmount interfaced with the file system residing outside the applicationcontainer, a software application including a reference to anapplication programming interface and the application programminginterface referenced by the software application. The applicationcontainer does not include application programming references that arenot referenced by the software application.

In some examples, the file system includes an application specificlogging folder and the file system mount in the application container isinterfaced with the application specific logging folder. The softwareapplication may include a reference to a portion of the operatingsystem, the application container may include only the portion of theoperating system referenced by the software application and theunreferenced portion of the operation system may be outside theapplication container. The application container may be configured toprevent the software application from accessing a resource locatedoutside the application container. The application container may befurther configured to generate a warning in response to the softwareapplication attempting to access a resource outside the applicationcontainer.

In some implementations, the virtual machine includes an agentconfigured to terminate the software application in response to thesoftware application attempting to access a resource outside theapplication container. The agent may further be configured to terminatethe virtual machine in response to the software application attemptingto access a resource outside the application container.

Yet another aspect of the disclosure provides a computer-implementedmethod for executing a software application in a virtual machineexecuting on a data processing device. The method includes receivingsoftware code for a software application, determining applicationprogramming interfaces referenced by the software code, determiningportions of an operating system accessed by the software code andcreating an application container in the virtual machine. The methodalso includes application programming interfaces referenced by thesoftware code inside the application container, portions of theoperating system accessed by the software code inside the applicationcontainer and executing the software application inside the applicationcontainer on the virtual machine.

In some examples, the method includes halting execution of the softwareapplication in response to the software application attempting to accessan application programming interface outside the application container.The method may further include halting the virtual machine in responseto the software application accessing an unauthorized applicationprogramming interface outside the application container.

The details of one or more implementations of the disclosure are setforth in the accompanying drawings and the description below. Otheraspects, features, and advantages will be apparent from the descriptionand drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic view of an example distributed computing system.

FIG. 2 is block diagram of an example implementation of the distributedcomputing system shown in FIG. 1.

FIG. 3 is an example arrangement of operations for monitoring the healthof a virtual machine.

FIG. 4 is a block diagram of another example implementation of thedistributed computing system.

FIG. 5 is an example arrangement of operations for redeploying asoftware application on a virtual machine.

FIG. 6 is a block diagram of an example virtual machine interfaced withan application server.

FIG. 7 is an example arrangement of operations for executing a softwareapplication on a virtual machine.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

FIG. 1 depicts a distributed computing system 100. The distributedcomputing system 100 includes one or more data processing devices 102,one or more non-transitory storage mediums 104 and a network 106connecting the data processing devices 102 and the non-transitorystorage mediums 104. A data processing device 102 can executeinstructions that configure the data processing device 102 to executeone or more virtual machines 110. The virtual machines 110 can executeone or more software applications 120. A data processing device 102 canexecute instructions that configure the data processing device 102 toexecute one or more application servers 130. The non-transitory storagemediums 104 can include one or more datastores 140.

In some implementations, the distributed computing system 100 connectsto a public network 160, for example the Internet. Moreover, the network106 may include a firewall 150 to prevent unauthorized access to thedistributed computing system 100. Users 180 can access the distributedcomputing system 100 through user computers 170. A software developer180 d of the software applications 120 may access the distributedcomputing system 100 through a developer computer 170 d. Finally, anend-user 180 e can access the software applications 120 through anend-user computer 170 e.

The virtual machine 110 is a software-based emulation of a computer. Thevirtual machine 110 operates based on the computer architecture andfunctions of a real or hypothetical computer. The software application120 executed by the virtual machine 110 may have a health status 121,which may include a healthy status 121H or an unhealthy status 121U. Insome implementations, the virtual machine 110 and/or the applicationserver 130 determines the health status 121 of the software application120. Moreover, the user 180 may specify the manner in which the virtualmachine 110 and/or the application server 130 determine the healthstatus 121 of the software application 120.

In some implementations, the application server 130 manages the softwareapplication 120. In some scenarios, several virtual machines 110 executea single software application 120. The application server 130 may managethe network traffic being sent to each virtual machine 110 executing thesoftware application 120. For example, if the application server 130determines that a particular virtual machine 110 executing the softwareapplication 120 is slow, then the application server 130 can sendnetwork traffic to another virtual machine 110. The software application120 can use a datastore 140 as operating memory or to store datagenerated by the software application 120.

FIG. 2 depicts an example implementation of the distributed computingsystem 100. In some implementations, the virtual machine 110 includes anagent 112, which controls the operation of the virtual machine 110. Insome implementations, the agent 112 can shut down the virtual machine110 and/or restart the virtual machine 110. In this example, the virtualmachine 110 includes a special health check handler 114 that checks thehealth status 121 of the software application 120. In someimplementations, the agent 112 is configured to check the health status121 of the software application 120 via the special health check handler114. The software application 120 may further include an applicationhealth check handler 122. The special health check handler 114 mayinteract with the application health check handler 122 to determine thehealth status 121 of the software application 120.

The health check handlers 114, 122 may determine the health status 121of the software application 120 in any suitable manner. In someimplementations, the health check handlers 114, 122 determine the healthstatus 121 of the software application 120 by assessing theresponsiveness of the software application 120. The health checkhandlers 114, 122 may determine the responsiveness of the softwareapplication 120 by measuring an amount of time the software application120 takes to complete a particular task. For example, the health checkhandlers 114, 122 may request the software application 120 to provideinformation regarding an amount of memory the software application 120is currently using. If the software application 120 provides therequested information within a predetermined amount of time (e.g., 5ms), then the health check handlers 114, 122 may determine that thehealth status 121 of the software application 120 is healthy 121H. Onthe other hand, if the software application 120 does not respond to therequest or takes too long to respond to the request (e.g. more than 10s), then the health check handlers 114, 122 may determine that thesoftware application 120 is unhealthy 121U.

In some implementations, the health check handlers 114, 122 determinethe health status 121 of the software application 120 by determining anumber of memory leaks in the software application 120. The virtualmachine 110 may have allocated a block of memory for the softwareapplication 120 to use. If the software application 120 uses a memoryblock that is not within the allocated block, then the health checkhandlers 114, 122 may determine that the software application 120 isunhealthy 121U.

In other implementations, the health check handlers 114, 122 maydetermine the health status 121 of the software application 120 bydetermining whether the software application 120 is attempting to accessan unauthorized or restricted application programming interface (API).The virtual machine 110 may restrict access to certain APIs to prevent acorrupt or malicious software application 120 from causing damage to thevirtual machine 110. If the software application 120 is attempting toaccess a restricted API, then the health check handlers 114, 122 maydetermine that the software application 120 is unhealthy 121U.

In yet other implementations, the health check handlers 114, 122 maydetermine the health status 121 of the software application 120 based onuser feedback. An end user 180 e may rate the software application 120.For example, the end user 180 e may provide a rating that ranges fromone star to five stars, where one star corresponds with a poor softwareapplication and five stars correspond with an outstanding softwareapplication. The health check handlers 114, 122 may determine that asoftware application 120 is unhealthy 121U, if the number of one starratings that a software application 120 receives exceeds a threshold(e.g., 1000). The health check handlers 114, 122 may use other methodsfor determining the health status 121 of the software application 120.

The agent 112 determines a local health status 121L of the softwareapplication 120. Although the agent 112 determines the local healthstatus 121L of the software application 120, the local health status121L may not be representative of the true health status 121 of thesoftware application 120. Since the agent 112 resides inside the virtualmachine 110, it is difficult for the agent 112 to determine the truehealth status 121 of the software application 120 (i.e., the health ofthe software application 120 as determined by the application server 130from outside the virtual machine 110).

The health check handlers 114, 122 may determine the health status 121of the software application 120 in accordance with health checkconfigurations 174. In some implementations, user application files 172that can reside in the user computer 170 specify the health checkconfigurations 174. Additionally or alternatively, both the softwaredeveloper 180 d and the end user 180 e may specify the health checkconfigurations 174. In yet additional implementations, only the softwaredeveloper 180 d or only the end user 180 e may specify the health checkconfigurations 174. The health check configurations 174 can specify howand/or when the application server 130 and/or the virtual machine 110determine the health status 121 of the software application 120. Forexample, the health check configurations 174 may specify that if asoftware application 120 does not respond to a request within fivemilliseconds, then the health status 121 of the software application 120is unhealthy 121U.

In some examples, the health check configurations 174 specify that thehealth status 121 of the software application 120 is to be determinedperiodically, e.g., every five seconds. The health check configurations174 may specify an amount of memory or the number of virtual machines110 that the software application 120 is permitted to use, and if thesoftware application 120 exceeds the usage limits then the health status121 of the software application 120 is unhealthy 121U. Moreover, thehealth check configurations 174 may specify a list of resources that thesoftware application 120 uses during execution. If, during execution,the software application 120 uses resources other than theuser-specified resources, then the health status 121 of the softwareapplication 120 is unhealthy 121U. For example, the health checkconfigurations 174 may specify the software application 120 is notpermitted to use a camera API. If the software application 120 attemptsto use the camera API, then the health check handlers 114, 122 determinethat the software application 120 is unhealthy 121U.

In some scenarios, the software application 120 can become corrupt andcan start behaving in an unpredictable manner. In such scenarios, thehealth check parameters 114 and/or 122 can determine that the softwareapplication 120 is unhealthy 121U. For example, the health checkconfigurations 174 may specify the expected behavior of the softwareapplication 120. If the software application 120 deviates from theexpected behavior specified in the health check configurations 174, thenthe health check handlers 114, 122 can determine that the softwareapplication 120 is unhealthy 121U. In the above example, the softwaredeveloper 180 d or the end user 180 e may specify the expected behaviorof the software application 120 in the health check configurations 174.

In some implementations, the application server 130 includes anadministration console 132. The administration console 132 may provide agraphical user interface (GUI) to the user computer 170. The user 180can use the GUI to provide the health check configurations 174 to theadministration console 132. After the administration console 132receives the health check configurations 174, the administration console132 sends the health check configurations 174 to a data handler 134. Thedata handler 134 can convert the health check configurations 174 into aformat that can be stored in a datastore 140. For example, the datahandler 134 may validate input provided by the user 180 to make sure theinput is valid. The data handler 134 may also verify whether the healthcheck handlers 114, 122 are configured to determine the health status121 of the software application 120 in accordance with the health checkconfigurations 174 provided by the user 180. In some instances, thehealth check handlers 114, 122 may not be configured to determine thehealth status 121 of the software application 120 in accordance with thehealth check configurations 174 provided by the user 180. For example,the user 180 may have specified, in the health check configurations 174,for the health check handlers 114, 122 to determine the health status121 every microsecond. But the health check handlers 114, 122 may beconfigured to determine the health status 121 at intervals ofmilliseconds. The data handler 134 may ignore the portion of the healthcheck configurations 174 that directs the health check handlers 114, 122to determine the health status 121 at every millisecond. Similarly, thedata handler 134 may ignore other portions of the health checkconfigurations 174 with which the health check handlers 114, 122 are notable to comply.

The administration console 132 sends the health check configurations 174to an application master 138. While the application master 138 is shownseparate from the application server 130, the application master 138 canbe a part of the application server 130. The application master 138manages all configuration data for the software application 120. Theapplication master 138 receives the health check configurations 174 fromthe administration console 132 and stores the health check configuration174 in the application configuration datastore 140 b. Similar to thedata handler 134, the application master 138 may validate the healthcheck configuration 174 to make sure the health check configuration 174is valid. The application master 138 may ignore certain health checkconfigurations 174 that are infeasible (e.g., not possible to check).The application configuration datastore 140 b stores the health checkconfigurations 174 in a suitable format.

An application health monitor 136 determines a remote health status 121Rof the software application 120 in accordance with the health checkconfigurations 174. Unlike the agent 112, the application health monitor136 is able to determine the health status 121 of the softwareapplication 120 from outside the virtual machine 110. Therefore, theremote health status 121R determined by the application health monitor136 may be more accurate than the local health status 121L determined bythe agent 112.

The application health monitor 136 determines the remote health status121R of the software application 120 by interacting with the specialhealth check handler 114, which in turn interacts with the applicationhealth check handler 122 inside the software application 120. Afterdetermining the remote health status 121R, the application healthmonitor 136 sends the remote health status 121R to the special healthcheck handler 114. The special health check handler 114 saves the remotehealth status 121R for later use.

The agent 112 can receive the remote health status 121R determined bythe application health monitor 136 from the special health check handler114. In this manner, the agent 112 is aware of the local health status121L and also the remote health status 121R. The agent 112 compares thelocal health status 121L with the remote health status 121R. If there isa mismatch between the local health status 121L and the remote healthstatus 121R, then the agent 112 restarts the software application 120.If after restarting the software application 120 there is still amismatch between a subsequent local health status 121L and a subsequentremote health status 121R, then the agent 112 restarts the virtualmachine 110.

Unlike other virtual machines that may not be aware of the remote healthstatus 121R, the virtual machine 110 and the agent 112 are aware of theremote health status 121R. In some scenarios, the remote health status121R is unhealthy 121U, but the local health status 121L is healthy121H. Other virtual machines that are not aware of an unhealthy remotehealth status 121R may continue to execute the software application 120as long as the local health status 121L is healthy 121H. Unaware virtualmachines are at a disadvantage, because the application server 130 maynot direct network traffic to the unaware virtual machines. By contrast,the virtual machines 110 in the examples shown are aware of the remotehealth status 121R. In response to the remote health status 121Rbecoming unhealthy 121U, the virtual machines 110 may restart thesoftware application 120 and/or the virtual machine 110 therebyrestoring the flow of network traffic into the virtual machines 110.

FIG. 3 illustrates a method 300 for providing a software application 120in a virtual machine 110. At 310, the virtual machine 110 executes asoftware application 120. At 315, the administrative console 132receives health check configurations 174 for the software application120 from the user 180. At 320, the data handler 134 and/or theapplication master 138 convert the health check configurations 174 intoa storable format. As explained above, the data handler 134 may convertthe health check configurations 174 into a format suitable for thehealth check configuration datastore 140 a and the application master138 may convert the health check configurations 174 into a formatsuitable for the application configuration datastore 140 b. At 325, themethod 300 includes storing the health check configurations 174 in adatastore 140.

At 330, the application health monitor 136 determines a remote healthstatus 121R of the software application 120. As discussed above, theapplication health monitor 136 may determine the remote health status121R of the software application 120 via the special health checkhandler 114. The special health check handler 114 in turn may determinethe health status 121 of the software application 120 by interactingwith the application health check handler 122 residing inside thesoftware application 120.

At 335, the application health monitor 136 sends the remote healthstatus 121R to the virtual machine 110. The application health monitor136 may send the remote health status 121R to the special health checkhandler 114. Alternatively, the application health monitor 136 may sendthe remote health status 121R directly to the agent 112.

At 340, the virtual machine 110 determines a local health status 121L ofthe software application 120. In this implementation, the agent 112determines the local health status 121L of the software application 120.The agent 112 may determine the local health status 121L of the softwareapplication 120 via the special health check handler 114. In someimplementations, the agent 112 and/or the special health check handler114 may determine the local health status 121L based on a previousremote health status 121R. For example, if the agent 112 and/or thespecial health check handler 114 determine that the last remote healthstatus 121R is unhealthy 121U, then the agent 112 and/or the specialhealth check handler 114 determine that the local health status 121L isunhealthy 121U. In some implementations, if the agent 112 and/or thespecial health check handler 114 determine that the last remote healthstatus 121R is too old, then the agent 112 or the special health checkhandler 114 determine that the local health status 121L is unhealthy121U. The last remote health status 121R may be too old if a differencebetween a current time and a time at which the agent 112 or the specialhealth check handler 114 received the last remote health status 121R isgreater than a threshold, for example one, two or five minutes.

At 345, the agent 112 compares the local health status 121L and theremote health status 121R. If the local health status 121L matches theremote health status 121R, then the method 300 ends at 365. If, however,the local health status 121L and the remote health status 121R do notmatch, then the method 300 proceeds to 350. As discussed above, in somecases, the local health status 12L may be healthy 121H but the remotehealth status 121R may be unhealthy 121U. This can happen because theagent 112 is inside the virtual machine 110 and it is difficult for theagent 112 to correctly determine the health status 121 of the softwareapplication 120.

If the local health status 121L and the remote health status 121R do notmatch, then the agent 112 first attempts to rectify the mismatch byrestarting the software application 120, at 355. If after restarting thesoftware application 120, subsequent determinations of the local healthstatus 121L and the remote health status 121R match, then the agent 112does not restart the virtual machine 110. If, however, after restartingthe software application 120 subsequent determinations of the localhealth status 121L and the remote health status 121R still do not match,then the agent 112 restarts the virtual machine 110, at 360.

FIG. 4 illustrates a distributed computing system 400. The distributedcomputing system 400 is similar to the distributed computing system 100shown in FIG. 1. The distributed computing system 400 includes one ormore virtual machines 410, an application server 430 and one or morerepositories 440. As shown, the distributed computing system 400includes three virtual machines 410, each executing a different softwareapplications 420. Virtual machine 410 a is executing softwareapplication 420 a, virtual machine 410 b is executing softwareapplication 420 b and virtual machine 410 c is executing softwareapplication 420 c.

Each software application 420 has an associated policy 424. The policy424 specifies how the virtual machine 410 is instantiated when asoftware application 420 is redeployed subsequent to an initialdeployment of the software application 420. If a software application420 is redeployed subsequent to the initial deployment of the softwareapplication 420, the policy 424 specifies which image 416 is mounted onthe virtual machine 410 prior to the redeployment of the softwareapplication 420. The policy 424 may further specify which softwarepackage 418 is installed on the virtual machine 410 prior to theredeployment of the software application 420. The policy 424 may alsospecify whether a security patch 448 is installed on the virtual machine410 prior to the redeployment of the software application 420. In theexample of FIG. 4, there are three policies 424: a fixed policy 424 a, asecurity policy 424 b; and an automatic update policy 424 c. In otherexamples, there may be more or less than three policies 424.

The fixed policy 424 a specifies that when a software application 420 aassociated with the fixed policy 424 a is redeployed subsequent to aninitial deployment, the virtual machine 410 a mounts the same image 416a that was mounted when the software application 420 a was initiallydeployed. The fixed policy 424 a further specifies that virtual machine410 a install the same software package 418 a that was installed on thevirtual machine 410 a when the software application 420 a was initiallydeployed. The fixed policy 424 a further specifies that the virtualmachine 410 a not install the security patch 448 unless the securitypatch 448 was installed on the virtual machine 410 a when the softwareapplication 420 a was initially deployed. In some implementations,initial deployment of the software application 420 refers to a time whenthe software application 420 was deployed for the very first time in aproduction environment.

The security policy 424 b specifies that when a software application 420b associated with the security policy 424 b is redeployed subsequent toan initial deployment, the virtual machine 410 b mount the same image416 b that was mounted when the software application 420 b was initiallydeployed. The security policy 424 b further specifies that virtualmachine 410 b install the same software package 418 b that was installedon the virtual machine 410 b when the software application 420 b wasinitially deployed. The security policy 424 b further specifies that thevirtual machine 410 b install the security patch 448. The securitypolicy 424 b differs from the fixed policy 424 a in that the securitypolicy 424 b requires the virtual machine 410 b to install the securitypatch 448, whereas the fixed policy 424 a does not require the virtualmachine 410 to install the security patch 448.

The automatic update policy 424 c specifies that when a softwareapplication 420 c associated with the automatic update policy 424 c isredeployed subsequent to an initial deployment, the virtual machine 410c mount the latest image 416 c that is stored in the remote imagerepository 442. The automatic update policy 424 c further specifies thatvirtual machine 410 c install the latest software package 418 c that isstored in the remote software package repository 444. The automaticupdate policy 424 c further specifies that the virtual machine 410 cinstall the security patch 448. The automatic update policy 424 cdiffers from the fixed policy 424 a and the security policy 424 b inthat the automatic update policy 424 c requires the virtual machine 410c to install the latest image 416 c and the latest software package 418c instead of the image 416 and the software package 418 that wereinstalled during the initial deployment of the software application 420.

Once a virtual machine 410 deploys a software application 420, there maybe some circumstances in which the virtual machine 410 has to redeploythe software application 420. For example, the virtual machine 410 mayneed to restart the software application and/or the virtual machine 410if the health status 421 of the software application 420 is unhealthy421U, as discussed above. In some scenarios, the virtual machine 410 mayhave to redeploy the software application 420 by reinstalling thesoftware application 420, the software package 418 and the image 416 inorder to restore the health status 121 of the software application 420.

In some implementations, when the application server 430 and/or thevirtual machine 410 a redeploy the software application 420 a that isassociated with the fixed policy 424 a, the application server 430and/or the virtual machine 410 a select the same image 416 a and thesame software package 418 a that were used to initially deploy thesoftware application 420 a. Advantageously, by selecting the same image418 a and the same software package 418 a that were used at the initialdeployment, the application server 430 and/or the virtual machine 410 ahelp ensure predictable behavior for the software application 420 a uponredeployment. The application server 430 and the virtual machine 410 ado not install the security patch 448 on the virtual machine 410 a inorder to ensure predictable execution of the software application 420 aupon redeployment. However, if the security patch 448 was installed onthe virtual machine 410 a at the initial deployment of the softwareapplication 420 a, then the application server 420 or the virtualmachine 410 a may install the security patch 448 on the virtual machine410 a.

In the example of FIG. 4, when the application server 430 and/or thevirtual machine 410 b redeploy the software application 420 b that isassociated with the security policy 424 b, the application server 430and/or the virtual machine 410 b select the same image 416 b and thesame software package 418 b that were used to initially deploy thesoftware application 420 b. Advantageously, by selecting the same image418 b and the same software package 418 b that were used at the initialdeployment, the application server 430 and/or the virtual machine 410 bhelp ensure predictable behavior for the software application 420 b uponredeployment. The application server 430 and the virtual machine 410 ainstall the security patch 448 on the virtual machine 410 b, because thesoftware application 420 b is associated with the security policy 424 bthat specifies that the security patch 448 be installed prior toredeployment. While installing the security patch 448 may change thebehavior of the software application 420 b upon redeployment, the changein behavior is minimized by maintaining the same image 416 b and thesame software package 418 b.

With continued reference to FIG. 4, when the application server 430and/or the virtual machine 410 c redeploy the software application 420 cthat is associated with the automatic update policy 424 c, theapplication server 430 and/or the virtual machine 410 c select thelatest image 416 c and the latest software package 418 c. Theapplication server 430 and/or the virtual machine 410 c install thesecurity patch 448 on the virtual machine 410 b, because the softwareapplication 420 b is associated with the automatic update policy 424 cthat specifies that the security patch 448 be installed prior toredeployment. Unlike the software application 420 a, the behavior of thesoftware application 420 c may change upon redeployment.

FIG. 5 illustrates a method 500 for redeploying a software application420 on a virtual machine 410. At 510, the application server 430receives a selection of the policy 424 for the software application 420.The application server 430 may display the three policies 424 a, 424 band 424 c to a user via a graphical user interface and the user mayselect one of the policies as the policy the user intends to impose onthe software application 420.

At 515, the application server 430 initially deploys the softwareapplication 420. At 520, the application server 430 takes a snapshot ofthe remote software repository 444 when the software application 420 isinitially deployed. The application server 430 may take the snapshot ofthe remote software repository 444 by archiving the software package 418that was initially installed on the virtual machine 410. By taking asnapshot of the remote software repository 444, the application server430 ensures that the software package 418 installed on the virtualmachine 410 at initial deployment may be available for use during aredeployment at a later time. At 525, the application server 430 storesa version identifier (ID) of the software package 418 in associationwith the software application 420. When the application server 430and/or the virtual machine 410 redeploy the software application 420 ata later time, the application server 430 can use the version ID toretrieve the software package 418 that was initially installed on thevirtual machine 410.

At 530, the application server 430 takes a snapshot of the remote imagerepository 442 when the software application 420 is initially deployed.The application server 430 may take the snapshot of the remote imagerepository 442 by archiving the image 416 that was initially mounted onthe virtual machine 410. By taking a snapshot of the remote imagerepository 442, the application server 430 ensures that the image 416mounted on the virtual machine 410 at initial deployment may beavailable for use during a redeployment at a later time. At 535, theapplication server 430 stores the version ID of the image 416 inassociation with the software application 420. When the applicationserver 430 and/or the virtual machine 410 redeploy the softwareapplication 420 at a later time, the application server 430 can use theversion ID to retrieve the image 416 that was initially mounted on thevirtual machine 410.

At 540, the application server 430 and/or the virtual machine 410 detecta trigger to restart the software application 420 and/or the virtualmachine 410. For example, the agent 112 may have determined a mismatchbetween the local health status 121L and the remote health status 121R,and the agent 112 may decide to restart the software application 420 orto the restart the virtual machine 410, as discussed above. Upon atrigger to redeploy the software application 420, the application server430 and/or the virtual machine 410 determine which policy 424 isassociated with the software application 420.

At 545, the application server 430 determines whether the fixed policy424 a is associated with the software application 420. If the fixedpolicy 424 a is associated with the software application 420, then theapplication server 430 retrieves the software package 418 a from theremote software repository 444 using the software version ID stored inassociation with the software application 420 a, at 550. At 555, theapplication server 430 retrieves the image 416 a from the imagerepository 442 using the image version ID stored in association with thesoftware application 420 a. Upon retrieving the image 416 a and thesoftware package 418 a, the application server 430 and/or the virtualmachine 410 a mount the image 416 a onto the virtual machine 410 a,install the software package 418 a on the virtual machine 410 a andredeploy the software application 420 a. In this scenario, due to thefixed policy 424 a, when the application server 430 and/or the virtualmachine 410 a redeploy the software application 420 a, the softwareapplication 420 a executes on the same image 416 a and the same softwarepackage 418 a as the software application 420 a was executing on whenthe application server 430 and/or the virtual machine 410 a initiallydeployed the software application 420 a. As a result, the softwareapplication 420 a is more likely to behave in a predictable manner.

If the policy 424 associated with the software application 420 is notthe fixed policy 424 a, then the application server 430 determineswhether the policy 424 associated with the software application 420 isthe security policy 424 b, at 560. If the policy 424 is the securitypolicy 424 b, then at 565 the application server 430 retrieves thesoftware package 418 b from the remote software repository 444 using thesoftware version ID stored in association with the software application420 b. At 570, the application server 430 retrieves the image 416 b fromthe image repository 442 using the image version ID stored inassociation with the software application 420 b. At 575, the applicationserver 430 retrieves the latest security patch 448 from the securityrepository 446. The security patch 448 is installed on the virtualmachine 410 b.

If at 560, the application server 430 determines that the securitypolicy 424 b does not apply, then at 580, the application server 430determines whether the automatic update policy 424 c applies. If theautomatic update policy 424 c applies, then at 585, the applicationserver 430 retrieves the latest software package 418 c from the remotesoftware repository 444, at 585. At 590, the application server 430retrieves the latest image 416 c from the remote image repository 442.At 575, the application server retrieves the security patch 448 andinstalls the security patch 448 on the virtual machine 410 c.

FIG. 6 illustrates an example implementation of a distributed computingsystem 600. The distributed computing system 600 includes a virtualmachine 610 interfacing with an application server 630. The virtualmachine 610 includes an application container 626 (e.g., a Linuxcontainer). Alternatively, the application container 626 may be a dockercontainer. The application container 626 includes all the software codeof the software application 620. The application container 626 includesthe application code 628 a and the user web-app process 628 b. The code628 a makes references to resources, such as application programminginterface libraries and certain operating system resources. Theapplication container 626 contains the application programming interfacelibraries 652 that the code 628 a references. The application container626 also contains portions of the operating system 654 that the code 628a references. The application container 626 may contain other resourcesthat are normally found in a virtual machine 610 and that the code 628 areferences. The virtual machine 610 includes an image of the operatingsystem. The operating system includes a file system 656. The file system656 is located outside the application container 626.

The application container 626 includes a file system mount 656 a on anapplication specific logging folder 658 of the file system 656. The code628 a can interact with the file system 656 of the operating system viathe file system mount 656 a. The application container 626 may onlycontain those portions of the file system 656 that are necessary for thecode 628 a to function as intended. By excluding all other portions ofthe file system 656 and the operating system from the applicationcontainer 626, the virtual machine 610 is relatively safer fromunforeseen bugs in the code 628 a. For example, the code 628 a may havecertain malicious functions that attempt to derail the stability of thevirtual machine 610. Any malicious functions in the code 628 a can onlyaccess the resources provided in the application container 626 and notthe resources located outside the application container 626. Forexample, the code 628 a cannot access the entire file system 656,therefore the amount of damage that the code 628 a can do to the filesystem 656 and other portions of the operating system is limited.

The agent 612 can monitor the resources that the code 628 a and the webprocess 628 b attempt to access. If the software application 620attempts to access APIs or other resources that are outside theapplication container 626, then the agent 612 can halt execution of thesoftware application 620. Alternatively, the agent 612 can terminate theexecution of the software application 620. Further, the agent 612 candetect breaches in the boundary of the application container 626. Forexample, if the code 628 a is successful in accessing a restricted or anunauthorized resource of the file system 656 that is outside theapplication container 626, then the agent 612 can halt operation of thevirtual machine 610 or terminate the virtual machine 610 altogether,thereby preventing excessive damage to the virtual machine 610.

The agent 612 may be configured to detect attempts from the code 628 ato access resources outside the application container 626 and generate awarning that may be provided to the application server 630. Theapplication server 630 may provide the warning to a user 180. The user180 may override the boundaries of the application container 626,thereby allowing the software application 620 to access portions of thefile system 656 that are located outside the container 626.

FIG. 7 depicts a method 700 for executing a software application 620 ina virtual machine 610. At 710, the software application 630 receives thecode 628 a for the software application 620. At 715, the applicationserver 630 determines the API libraries used by the software code 628 a.The application server 630 may determine the API libraries used by thesoftware code 628 a by determining the libraries referenced by thesoftware code 628 a. At 720, the application server 630 determinesportions of the operating system that are accessed by software code 628a. At 725, the application server 630 determines any other resourcesused by the software code 628 a.

At 730, the application server 630 instructs the virtual machine 610 tocreate an application container 626. The virtual machine 610 containsthe software code 628 a of the software application 620 inside theapplication container 626, at 735. At 740, the virtual machine 610imports the API libraries referenced by the software application 620into the application container 626. The virtual machine 610 importsportions of the operating system accessed by the software code 628 ainto the application container 626, at 745.

At 750, the virtual machine 610 executes the software application 620inside the application container 626. At 755, the agent 612 determineswhether the software application 620 is attempting to use an API libraryor resource that is outside the application container 626. At 760, theagent 612 generates a warning that the software application 620 isattempting to access an API or other resource that is outside theapplication container 626. The warning may be sent to the applicationserver 630. The application server 630 may send the warning to the user180 that the software application 620 is trying to access a resourceoutside the application container 626.

Alternatively, at 760, the agent 612 can request the application server630 for permission to expand the boundaries of the application container626. If the application server 630 grants permission to expand theboundaries of the application container 626, the virtual machine 610modifies the boundaries of the application container 626 by includingadditional resources inside the application container 626 that thesoftware application 620 requests during execution. In another exampleimplementation, the agent 612 halts execution of the softwareapplication 620 when the software application 620 attempts to access anAPI or other resource that is outside the application container 626. Themethod 700 ends at 765.

Various implementations of the systems and techniques described here canbe realized in digital electronic circuitry, integrated circuitry,specially designed ASICs (application specific integrated circuits),computer hardware, firmware, software, and/or combinations thereof.These various implementations can include implementation in one or morecomputer programs that are executable and/or interpretable on aprogrammable system including at least one programmable processor, whichmay be special or general purpose, coupled to receive data andinstructions from, and to transmit data and instructions to, a storagesystem, at least one input device, and at least one output device.

These computer programs (also known as programs, software, softwareapplications or code) include machine instructions for a programmableprocessor and can be implemented in a high-level procedural and/orobject-oriented programming language, and/or in assembly/machinelanguage. As used herein, the terms “machine-readable medium” and“computer-readable medium” refer to any computer program product,apparatus and/or device (e.g., magnetic discs, optical disks, memory,Programmable Logic Devices (PLDs)) used to provide machine instructionsand/or data to a programmable processor, including a machine-readablemedium that receives machine instructions as a machine-readable signal.The term “machine-readable signal” refers to any signal used to providemachine instructions and/or data to a programmable processor.

Implementations of the subject matter and the functional operationsdescribed in this specification can be implemented in digital electroniccircuitry, or in computer software, firmware, or hardware, including thestructures disclosed in this specification and their structuralequivalents, or in combinations of one or more of them. Moreover,subject matter described in this specification can be implemented as oneor more computer program products, i.e., one or more modules of computerprogram instructions encoded on a computer readable medium for executionby, or to control the operation of, data processing apparatus. Thecomputer readable medium can be a machine-readable storage device, amachine-readable storage substrate, a memory device, a composition ofmatter affecting a machine-readable propagated signal, or a combinationof one or more of them. The terms “data processing apparatus”,“computing device” and “computing processor” encompass all apparatus,devices, and machines for processing data, including by way of example aprogrammable processor, a computer, or multiple processors or computers.The apparatus can include, in addition to hardware, code that creates anexecution environment for the computer program in question, e.g., codethat constitutes processor firmware, a protocol stack, a databasemanagement system, an operating system, or a combination of one or moreof them. A propagated signal is an artificially generated signal, e.g.,a machine-generated electrical, optical, or electromagnetic signal thatis generated to encode information for transmission to suitable receiverapparatus.

A computer program (also known as an application, program, software,software application, script, or code) can be written in any form ofprogramming language, including compiled or interpreted languages, andit can be deployed in any form, including as a stand-alone program or asa module, component, subroutine, or other unit suitable for use in acomputing environment. A computer program does not necessarilycorrespond to a file in a file system. A program can be stored in aportion of a file that holds other programs or data (e.g., one or morescripts stored in a markup language document), in a single filededicated to the program in question, or in multiple coordinated files(e.g., files that store one or more modules, sub programs, or portionsof code). A computer program can be deployed to be executed on onecomputer or on multiple computers that are located at one site ordistributed across multiple sites and interconnected by a communicationnetwork.

The processes and logic flows described in this specification can beperformed by one or more programmable processors executing one or morecomputer programs to perform functions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor may receive instructions and data from a read only memory or arandom access memory or both. The essential elements of a computer are aprocessor for performing instructions and one or more memory devices forstoring instructions and data. Generally, a computer may also include,or be operatively coupled to receive data from or transfer data to, orboth, one or more mass storage devices for storing data, e.g., magnetic,magneto optical disks, or optical disks. However, a computer need nothave such devices. Moreover, a computer can be embedded in anotherdevice, e.g., a mobile telephone, a personal digital assistant (PDA), amobile audio player, a Global Positioning System (GPS) receiver, to namejust a few. Computer readable media suitable for storing computerprogram instructions and data include all forms of non-volatile memory,media and memory devices, including by way of example semiconductormemory devices, e.g., EPROM, EEPROM, and flash memory devices; magneticdisks, e.g., internal hard disks or removable disks; magneto opticaldisks; and CD ROM and DVD-ROM disks. The processor and the memory can besupplemented by, or incorporated in, special purpose logic circuitry.

To provide for interaction with a user, one or more aspects of thedisclosure can be implemented on a computer having a display device,e.g., a CRT (cathode ray tube), LCD (liquid crystal display) monitor, ortouch screen for displaying information to the user and optionally akeyboard and a pointing device, e.g., a mouse or a trackball, by whichthe user can provide input to the computer. Other kinds of devices canbe used to provide interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, e.g.,visual feedback, auditory feedback, or tactile feedback; and input fromthe user can be received in any form, including acoustic, speech, ortactile input. In addition, a computer can interact with a user bysending documents to and receiving documents from a device that is usedby the user; for example, by sending web pages to a web browser on auser's client device in response to requests received from the webbrowser.

One or more aspects of the disclosure can be implemented in a computingsystem that includes a backend component, e.g., as a data server, orthat includes a middleware component, e.g., an application server, orthat includes a frontend component, e.g., a client computer having agraphical user interface or a Web browser through which a user caninteract with an implementation of the subject matter described in thisspecification, or any combination of one or more such backend,middleware, or frontend components. The components of the system can beinterconnected by any form or medium of digital data communication,e.g., a communication network. Examples of communication networksinclude a local area network (“LAN”) and a wide area network (“WAN”), aninter-network (e.g., the Internet), and peer-to-peer networks (e.g., adhoc peer-to-peer networks).

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. In someimplementations, a server transmits data (e.g., an HTML page) to aclient device (e.g., for purposes of displaying data to and receivinguser input from a user interacting with the client device). Datagenerated at the client device (e.g., a result of the user interaction)can be received from the client device at the server.

While this specification contains many specifics, these should not beconstrued as limitations on the scope of the disclosure or of what maybe claimed, but rather as descriptions of features specific toparticular implementations of the disclosure. Certain features that aredescribed in this specification in the context of separateimplementations can also be implemented in combination in a singleimplementation. Conversely, various features that are described in thecontext of a single implementation can also be implemented in multipleimplementations separately or in any suitable sub-combination. Moreover,although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asub-combination or variation of a sub-combination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multi-tasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

A number of implementations have been described. Nevertheless, it willbe understood that various modifications may be made without departingfrom the spirit and scope of the disclosure. Accordingly, otherimplementations are within the scope of the following claims.

What is claimed is:
 1. A computer-implemented method when executed bydata processing hardware causes the data processing hardware to performoperations comprising: receiving an indication of a selection of aredeployment policy, the redeployment policy specifying an instantiationof a software application on a virtual machine when the softwareapplication is redeployed subsequent to an initial deployment of thesoftware application; detecting a trigger to restart the softwareapplication subsequent to the initial deployment of the softwareapplication on the virtual machine; identifying the redeployment policyassociated with the software application; and instantiating the softwareapplication on the virtual machine based on the identified redeploymentpolicy associated with the software application.
 2. The method of claim1, wherein the operations further comprise: initially deploying thesoftware application on the virtual machine by using a software packageand by mounting an initial deployment image on the virtual machine;storing the software package used to initially deploy the softwareapplication in a software repository; and storing the initial deploymentimage mounted on the virtual machine in an image repository.
 3. Themethod of claim 1, wherein the redeployment policy specifies: arespective software package to be used for redeployment of the softwareapplication subsequent to the initial deployment of the softwareapplication; and a respective image to mount on the virtual machine toredeploy the software application subsequent to the initial deploymentof the software application.
 4. The method of claim 3, wherein theoperations further comprise: determining that the redeployment policyspecifies: a software package used to initially deploy the softwareapplication as the respective software package to be used forredeployment of the software application subsequent to the initialdeployment of the software application; and an image mounted on thevirtual machine during initial deployment of the software application asthe respective image to mount on the virtual machine to redeploy thesoftware application subsequent to the initial deployment of thesoftware application; and retrieving, from one or more storagelocations, the software package used to initially deploy the softwareapplication and the image mounted on the virtual machine during initialdeployment of the software application.
 5. The method of claim 3,wherein the operations further comprise: determining that theredeployment policy specifies: a software package used to initiallydeploy the software application as the respective software package to beused for redeployment of the software application subsequent to theinitial deployment of the software application; an image mounted on thevirtual machine during initial deployment of the software application asthe respective image to mount on the virtual machine to redeploy thesoftware application subsequent to the initial deployment of thesoftware application; and a current security patch installed on thevirtual machine, the current security patch corresponds to a respectivesecurity patch installed on the virtual machine when the trigger torestart the software application is detected; and retrieving, from oneor more storage locations, the software package used to initially deploythe software application, the image mounted on the virtual machineduring initial deployment of the software application, and the currentsecurity patch.
 6. The method of claim 3, wherein the operations furthercomprise: determining that the redeployment policy specifies: a currentsoftware package as the respective software package to be used forredeployment of the software application subsequent to the initialdeployment of the software application, the current software packagecorresponding to a respective software package installed on the virtualmachine when the trigger to restart the software application isdetected; and a current image mounted on the virtual machine as therespective image to mount on the virtual machine to redeploy thesoftware application subsequent to the initial deployment of thesoftware application, the current image corresponding to a respectiveimage mounted on the virtual machine when the trigger to restart thesoftware application is detected; and retrieving, from one or morestorage locations, the current software package and the current image.7. The method of claim 1, wherein: instantiating the softwareapplication on the virtual machine based on the identified redeploymentpolicy associated with the software application occurs within anapplication container of the virtual machine; and the applicationcontainer does not include any references to resources that are notreferenced by the software application.
 8. The method of claim 1,wherein the operations further comprise generating the indication of theselection of the redeployment policy based on a policy selection at agraphical user interface by a user of the software application.
 9. Themethod of claim 1, wherein the trigger corresponds to an unhealthy stateof the software application on the virtual machine.
 10. The method ofclaim 1, wherein the trigger indicates an unauthorized attempt by thesoftware application to access resources outside of an applicationcontainer containing the software application of the virtual machine.11. A system comprising: data processing hardware; and memory hardwarein communication with the data processing hardware, the memory hardwarestoring instructions that when executed on the data processing hardwarecause the data processing hardware to perform operations comprising:receiving an indication of a selection of a redeployment policy, theredeployment policy specifying an instantiation of a softwareapplication on a virtual machine when the software application isredeployed subsequent to an initial deployment of the softwareapplication; detecting a trigger to restart the software applicationsubsequent to the initial deployment of the software application on thevirtual machine; identifying the redeployment policy associated with thesoftware application; and instantiating the software application on thevirtual machine based on the identified redeployment policy associatedwith the software application.
 12. The system of claim 11, wherein theoperations further comprise: initially deploying the softwareapplication on the virtual machine by using a software package and bymounting an initial deployment image on the virtual machine; storing thesoftware package used to initially deploy the software application in asoftware repository; and storing the initial deployment image mounted onthe virtual machine in an image repository.
 13. The system of claim 11,wherein the redeployment policy specifies: a respective software packageto be used for redeployment of the software application subsequent tothe initial deployment of the software application; and a respectiveimage to mount on the virtual machine to redeploy the softwareapplication subsequent to the initial deployment of the softwareapplication.
 14. The system of claim 13, wherein the operations furthercomprise: determining that the redeployment policy specifies: a softwarepackage used to initially deploy the software application as therespective software package to be used for redeployment of the softwareapplication subsequent to the initial deployment of the softwareapplication; and an image mounted on the virtual machine during initialdeployment of the software application as the respective image to mounton the virtual machine to redeploy the software application subsequentto the initial deployment of the software application; and retrieving,from one or more storage locations, the software package used toinitially deploy the software application and the image mounted on thevirtual machine during initial deployment of the software application.15. The system of claim 13, wherein the operations further comprise:determining that the redeployment policy specifies: a software packageused to initially deploy the software application as the respectivesoftware package to be used for redeployment of the software applicationsubsequent to the initial deployment of the software application; animage mounted on the virtual machine during initial deployment of thesoftware application as the respective image to mount on the virtualmachine to redeploy the software application subsequent to the initialdeployment of the software application; and a current security patchinstalled on the virtual machine, the current security patch correspondsto a respective security patch installed on the virtual machine when thetrigger to restart the software application is detected; and retrieving,from one or more storage locations, the software package used toinitially deploy the software application, the image mounted on thevirtual machine during initial deployment of the software application,and the current security patch.
 16. The system of claim 13, wherein theoperations further comprise: determining that the redeployment policyspecifies: a current software package as the respective software packageto be used for redeployment of the software application subsequent tothe initial deployment of the software application, the current softwarepackage corresponding to a respective software package installed on thevirtual machine when the trigger to restart the software application isdetected; and a current image mounted on the virtual machine as therespective image to mount on the virtual machine to redeploy thesoftware application subsequent to the initial deployment of thesoftware application, the current image corresponding to a respectiveimage mounted on the virtual machine when the trigger to restart thesoftware application is detected; and retrieving, from one or morestorage locations, the current software package and the current image.17. The system of claim 11, wherein: instantiating the softwareapplication on the virtual machine based on the identified redeploymentpolicy associated with the software application occurs within anapplication container of the virtual machine; and the applicationcontainer does not include any references to resources that are notreferenced by the software application.
 18. The system of claim 11,wherein the operations further comprise generating the indication of theselection of the redeployment policy based on a policy selection at agraphical user interface by a user of the software application.
 19. Thesystem of claim 11, wherein the trigger corresponds to an unhealthystate of the software application on the virtual machine.
 20. The systemof claim 11, wherein the trigger indicates an unauthorized attempt bythe software application to access resources outside of an applicationcontainer containing the software application of the virtual machine.